1 |
Hi! |
2 |
|
3 |
On Thu, Oct 05, 2006 at 05:49:40PM +0200, Darknight wrote: |
4 |
> I should have mentioned this important bit: I'm still with old glibc and gcc |
5 |
> so I can switch, I need to understand if it's a bad gamble or completely |
6 |
> safe. |
7 |
|
8 |
I think it's safe. I've converted all my servers to hardened some time ago |
9 |
without any problems. Here is versions I've now: |
10 |
sys-devel/binutils-2.16.1-r3 |
11 |
sys-devel/gcc-3.4.6-r1 |
12 |
sys-kernel/hardened-sources-2.6.16-r11 |
13 |
sys-kernel/linux-headers-2.6.11-r5 |
14 |
sys-libs/glibc-2.3.6-r4 |
15 |
If you've newer versions - this may be a problem. |
16 |
If you've older versions - it may be good idea to upgrade to these |
17 |
versions first (with upgrading/recompiling all other packages), and after |
18 |
you'll be sure everything is working you can convert to hardened |
19 |
(i.e. recompiling everything once again to get SAME versions of all packages |
20 |
but with hardened now). |
21 |
|
22 |
Here is list of commands I've used to convert my servers to hardened: |
23 |
|
24 |
emerge hardened-sources |
25 |
|
26 |
# Now configure this kernel (without hardened features yet), |
27 |
# then compile/boot this kernel. |
28 |
|
29 |
ln -snf ../usr/portage/profiles/hardened/x86/2.6/ /etc/make.profile |
30 |
|
31 |
# Remove all extra optimization from CFLAGS in /etc/make.conf and |
32 |
# set -O2. |
33 |
|
34 |
# Clean up your $PKGDIR (usually /usr/portage/packages/) to optimize |
35 |
# compile time using emerge -b and emerge -k later. |
36 |
|
37 |
emerge -C linux-headers |
38 |
emerge linux-headers glibc binutils gcc-config gcc |
39 |
|
40 |
# Here do all operations needed for upgrading gcc, if needed. |
41 |
|
42 |
emerge -b glibc binutils gcc portage |
43 |
emerge -bke system |
44 |
emerge -ke world |
45 |
|
46 |
glsa-check -l | grep '\[N\]' |
47 |
|
48 |
# Manually upgrade packages shown by glsa-check, if needed. |
49 |
|
50 |
emerge -a --depclean |
51 |
emerge -uDNa world |
52 |
|
53 |
emerge paxtest paxctl gradm |
54 |
|
55 |
revdep-rebuild |
56 |
|
57 |
dispatch-conf |
58 |
|
59 |
# Now reconfigure kernel with switched on hardened features, |
60 |
# then compile/boot this kernel. |
61 |
|
62 |
-- |
63 |
WBR, Alex. |
64 |
-- |
65 |
gentoo-hardened@g.o mailing list |